or distribution Taming Security with Tools: for publication€¦ · Taming Security with Tools: Making Compliance a Reality Brad Doctor, VMware, Inc. Craig Savage, VMware, Inc. LDT1719BU.

#vmworld

Taming Security with Tools: Making Compliance a Reality

Brad Doctor, VMware, Inc.Craig Savage, VMware, Inc.

LDT1719BU

#LDT1719BUVMworld 2018 Content: Not for publication or distribution

Disclaimer

2©2018 VMware, Inc.

This presentation may contain product features orfunctionality that are currently under development.

This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

Technical feasibility and market demand will affect final delivery.

Pricing and packaging for any new features/functionality/technology discussed or presented, have not been determined.

VMworld 2018 Content: Not for publication or distribution

‹#› 3©2018 VMware, Inc.

Security Needs to Be Synonymous with Simplicity


Agenda


IntroductionsWho are these two people?

What tools should be tamed?And which should we let go free

Case study – VMwareHow we’ve transformed our Information Security

How to best use your VMware toolsKeeping it simple and successful

Wrap upConsider how you’ll use these insightsVMworld 2018 Content: Not for publication or distribution


What Does Brad Do?Brad Doctor (CISSP): Innovative security professional with over 20 years of experience. As the Sr. Director of Security Architecture and Engineering currently for VMware and previously for Level 3 Communications, I have been at the forefront of cloud security architecture for nearly 10 years, and have led design efforts for several commercially available security products. With nearly 20 patents in various technology domains I not only lead, I innovate and influence the cloud security industry.



What Does Craig Do?

Craig Savage (CISSP): Craig has been an Enterprise Architect and Governance, Risk and Compliance consultant for VMware and previously Accenture, Airbus and Capgemini. Based in the UK, Craig has worked with many VMware customers helping them adopt a service driven culture, enhancing working practices and making best use of VMware technologies.

Technology

People Process



Taming Tool SprawlEnabling clarity



Struggling to Transform

Operations teams are so reactive that there’s little time for

innovation

Operational practices are hugely complex and based

on legacy IT

Siloed organization inhibiting effective communication

and collaborative working

Can’t respond quickly enough to meet changing needs of the

business

Lack of trust in InfoSec’s abilityto deliver high quality,

cost-transparent services

Trouble achieving orhesitant to even offer SLAs



The Scale of IT Security Tools


©2018 VMware, Inc. 10

Case StudyThe VMware Journey

Applying the 5 pillars of cyber

hygiene at VMware



Snapshot of our Internal Infrastructure

OfficesData Centers

9 117

Avg. No of VMs Created & Deleted

Weekly

1,000,000

VMware ESXiTM

Hosts

6,000

Avg. No of Containers Created & Deleted

Weekly

130,000

Apps Micro-segmented Using VMware NSX®

55

Production Apps in VMware Cloud on AWS

3 10.3PB 73,000

VMwarevSANTM Raw storage

Devices Managed by AirWatch

IT-MANAGED ENVIRONMENT



This Is Where We Are Today



What Are the Five Pillars of Cyber Hygiene?

16



Pillar 1: Micro-segmentation

IoTCloudData center Branch office

APP

Abstract networking and security from the underling infrastructure

All new environments are micro-segmented

Moving toward NSX-T

Traffic rules are bidirectional

Existing environments are transitioned to NSX on a regular basisVMworld 2018 Content: Not for publication or distribution


Pillar 2: Patching

All production systems are patched on a regular basis

All systems are scanned on a regular basis

Patching metrics are CIO-level reported

Extensive automation is in place to make the process easier



Pillar 3: Encryption

All managed user devices are encrypted

All traffic served to the world is

encrypted

All WAN links are encrypted

All cloud-hosted data is encryptedVMworld 2018 Content: Not for publication or distribution

‹#›©2018 VMware, Inc.

Pillar 4: Multi-factor Authentication

All access to VMware networks requires MFA with no exceptions

Certificates are pushed to managed endpoints and are used to access Workspace ONE, Wi-Fi, etc.

VMware Identity Manager (vIDM) is location-aware and tailors the authentication experience accordingly

Working toward eliminating passwords and employing a 'Push' authentication model

20Confidential │ ©2018 VMware, Inc.



Employ and govern well-defined roles across the

infrastructure

Use 'sudo' or similar privilege escalation

mechanism

Log all privileged operations and employ systems that

automatically look for anomalies

01 02 03

Pillar 5: Least Privilege



Patching metrics – all critical patches applied within 24 hours of release, or less

Percentage of encrypted devices – 99% is the goal – eliminate legacy OS wherever possible

Percentage of applications managed by an IGA – ensure offboarding is performed immediately or as defined, reliably

Micro-segmented by default. Define the good rather than just try to prevent the bad

MFA by default – all external network access must be MFA. Eliminate the use of 1FA!

Reduce your dwell time – from days to hours, to minutes

KPI’s That Point Toward a Successful TransformationEverything is measurable – what are the goals?



People – invest in your people, a happy and well performing team gets more done

Process – make it easy for users to be secure!

Technology – rationalize, use existing investments, focus on simplicity

Making InfoSec @ VMware a SuccessMaking it easy for the end user



Airwatch, NSX, Wavefront and others

Using Your VMware AdvantageVMworld 2018 Content: Not for publication or distribution


NSX - On-Demand Micro-segmentationLogical segmentation around application boundaries

App

DMZ

Services

DB

Perimeterfirewall

AD NTP DHCP DNS CERT

App 1 App 2 App 3

Insidefirewall

Operationally infeasible and cost prohibitive with traditional firewalls

• Security is shrink- wrapped around each workload

• Firewall rules are enforced at the vNIC level: “micro trust zone” for each workload

• Threats are not able to infiltrate other applications and exfiltrate data to the outside



WavefrontIntegrating PKS (and others) into your enterprise security



Analytics Within VMware Products Today

vRealize Log InsightIntelligent log management and analytics.

Log IQSaaS-based intelligent log management and analytics.

WavefrontSaaS-based metrics monitoring and analytics platform that handles the high-scale requirements of modern cloud-native applications.

Apteligent/Workspace One IntelligenceMobile application performance and engagement insights such as: Predictive Modeling of End User Environment and Automated Anomaly Detection & Remediation.

SkylineProactive support technologythat brings high-performing technology and tools to the workbench to radically transform customer support.

vSANThe first product to build analytics feature on top of telemetry data and deliver operational value to customers through customer facing UI and support channel.

vRealize OperationsIntelligent IT operations management from applications to infrastructure with Dynamic Threshold and Capacity Planning. VMworld 2018 Content: Not for publication or distribution


The shift in Operational RiskCourtesy of (ISC)2

Traditional resilience measures are becoming obsolete at a rapid rate leaving companies without the ability to actively monitor for security incidents, and/or understand how to cope with the dynamic infrastructure and scale they are developing as they move over to cloud infrastructures. Operational requirements are shifting with digital transformation and companies are asking not just how do we get more skilled talent; but also, how does the team need to evolve?VMworld 2018 Content: Not for publication or distribution


People – Establish an organisation and teams capable of operating the core solution elements as well as being able to start managing the defined service through its entire lifecycle (Operational Readiness)

Service-Driven Implementation – Collaboratively work with your team and your business units to define the initial service supporting the identified app migration candidates and how this service will be presented and delivered

Process – Remove process barriers and gaps to establish efficiency gains and operational improvement by means of automation

Technology – Work closely with technical delivery teams to ensure success in designing and implementing the initial defined service

Everyone is responsible – Information security is everyone’s responsibility, from IT architects designing new infrastructure to system administrators.

Making Simplicity HappenHelping establish core IT Transformation building blocks


©2018 VMware, Inc.

Q/AVMworld 2018 Content: Not for publication or distribution



PLEASE FILL OUTYOUR SURVEY.Take a survey and enter a drawingfor a VMware company store gift card.

#vmworld #LDT1719BUVMworld 2018 Content: Not for publication or distribution

THANK YOU!

#vmworld #LDT1719BUVMworld 2018 Content: Not for publication or distribution

or distribution Taming Security with Tools: for publication€¦ · Taming Security with Tools: Making Compliance a Reality Brad Doctor, VMware, Inc. Craig Savage, VMware, Inc. LDT1719BU.

Documents